I got it working using the settings below, thanks for the tip.
Original Message:
Sent: Mar 13, 2024 05:02 PM
From: chulcher
Subject: Unknown problems onboarding IAPs to a Virtual Controller
Option 43 input is entirely dependent on the DHCP server used, but I've usually not had to explicitly use a hex value. You can search for "aruba option 43" and find a bunch of resources on that, but handling of UAP isn't always as straightforward as the days of CAP/IAP only.
ISC:
option masterip code 43 = ip-address;
subnet 192.168.96.0 netmask 255.255.255.0 {
option domain-name "network.lab";
option routers 192.168.96.1;
option ntp-servers 192.168.96.1;
option domain-name-servers 192.168.96.1;
pool {
range 192.168.96.101 192.168.96.239;
}
switch (option vendor-class-identifier) {
# Aruba - Normal Campus AP
case "ArubaAP":
option vendor-class-identifier "ArubaAP";
option masterip 192.168.96.21;
break;
# Aruba - Unified AP
case "ArubaInstantAP":
option vendor-class-identifier "ArubaAP";
option masterip 192.168.96.21;
break;
}
}
Unfortunately I haven't setup my lab Windows DHCP server to support a similar setup, but I can probably recreate that if you are particularly interested. Requires setting a policy based on the option 60 value received and then always returning "ArubaAP" as shown in the ISC config. Option 43 is predefined but input can be done using ASCII.
https://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/DHCP_Option_43.php
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Mar 13, 2024 04:34 PM
From: mvanoverbeek
Subject: Unknown problems onboarding IAPs to a Virtual Controller
Thank you that is insightful, information. I tried the DHCP options but thus far an unlucky. I find various information on the internet, some say to use DEC to HEX conversion while others say I have to convert ASCII to HEX. The settings I used are in the screenshots below. I read something about using 0104 prior to the IP, that what I used. Any recommendations? Thanks again for the advise so far!
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
Original Message:
Sent: Mar 13, 2024 12:11 PM
From: chulcher
Subject: Unknown problems onboarding IAPs to a Virtual Controller
The 345 when factory defaulted will boot as UAP, meaning the AP has the ability to discover a controller and automatically convert. Manual conversion from IAP isn't necessary. Support for campus operation requires a controller discovery method be implemented, and if traversing a L3 boundary then DNS or DHCP are your available options.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Mar 13, 2024 11:40 AM
From: mvanoverbeek
Subject: Unknown problems onboarding IAPs to a Virtual Controller
I saw those settings yes but was wondering what does that do for an IAP when you press the convert button and point it to the VMC? I will try it out regardless!
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
Original Message:
Sent: Mar 13, 2024 10:10 AM
From: Carson Hulcher
Subject: Unknown problems onboarding IAPs to a Virtual Controller
Did you configure the controller discovery options? You need either a DNS entry or to configure DHCP scope options 43 and 60 to instruct the AP on where to find the controller at boot time. I've not tested, not entirely sure that the IAP will save the IP used for the conversion as the LMS.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Mar 13, 2024 09:46 AM
From: mvanoverbeek
Subject: Unknown problems onboarding IAPs to a Virtual Controller
I double checked the settings, my port-group is set with the correct security settings. The only thing I found with my setup that was different from the manual was the removal of the unused disk. I changed that.
Below the vSwitch and port-group. The way I understand it, the port-group should be promiscuous, allow forged transmits and mac changes.
As mentioned, all seems to work fine now, but I was unable to register the AP with the VMC when not in the same VLAN.
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
Original Message:
Sent: Mar 12, 2024 10:21 PM
From: chulcher
Subject: Unknown problems onboarding IAPs to a Virtual Controller
Sounds like the deployment of the VMC isn't correct, make sure to follow all of the instructions in the Virtual Appliance Installation Guide.
Of particular importance is getting the security settings on the vSwitch correct.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Mar 12, 2024 01:56 PM
From: mvanoverbeek
Subject: Unknown problems onboarding IAPs to a Virtual Controller
I thought it was easy onboarding an AP on a VMC so I tested it out in my homelab but it is one issue after another.
It took me 3 hours to have an IAP 345 to get onboarded to my Virtual controller, and even now, I don't understand why it would not connect initially in a routed solution and why it became unstable for about an hour in the controller VLAN
My setup is as follows:
- VMC on ESXi (VMC_8.10.0.10_89128)
- An IAP access-point (AOS 8.10.0.10_89128)
- A Fortigate Firewall passing all traffic, basically acting as a router only.
- Fortigate acting as a DHCP server
In my first setup (below), I had a factory default AP, the AP kept failing when I hit the convert to Campus AP button. When reviewing the logs from the AP the common theme was "Authentication failures (IKEv2).
I pivoted and placed the AP directly into the VMC subnet, as depicted below. I observed the network being quite unstable for a while. When trying to log into the VMC some menus looked strange The maintenance and diagnostics menu were repeated over and over again. I reviewed the logs and I found KERNEL logs of the Access-point with the interface that flapped a whole bunch of times.
Eventually the Access-point appeared within the Controller, but I have no idea how and why. I think I followed the manuals appropriately, but it would be great if someone can point me to the do's and don'ts of onboarding access-points into a virtual controller. The youtube videos weren't enough for me at least :)
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
------------------------------